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(57) Abstract 

A system and method for selectively controlling database access by providing a system and method that allows a network . adminisrjator 
or manager to restrict specific users (107, 108, 109) from accessing information from certain public or otherwise l ^ m J"j™f? 
(i e the WWW and the Internet). Hie invention employs a relational database (1 14) to determine access nghts, and this database {\ 14) 
may be readily updated and modified by an administrator. Within this relational database (114) specific resource identifies 
are classified as being in a particular access group. Hie relational database (1 14) is arranged so that for each user (107, 108. 109) of tiie 
system a request for a partic\uar resource (102. 103, 104, 105) will only be passed on from the local network (10) |°»^P rovi ^"fJ 
link to the public/uncontrolled database if the resource identifier is in an access group for which the user (107, 108, 109) has been assigned 
specific permissions by an administrator. In one preferred embodiment, the invention is implemented as a part of a proxy server within the 
user's local network (110). 
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SYSTEM AND METHOD FOR DATABASE ACCESS CONTROL 



Technical Field 

The invention relates to controlling database access and, more 
5 particularly, to selectively providing such control with respect to otherwise 
public databases. 
Background Of Th* Invention 

Files or other resources on computers around the world may be 
made publicly available to users of other computers through the collection of 
10 networks known as the Internet. The collection of all such publicly available 
resources, linked together using files written in Hypertext Mark-up Language 
("HTML"), is known as the World Wide Web ("WWW"). 

A user of a computer that is connected to the Internet may cause 
a program known as a client to request resources that are part of the WWW. 
1 5 Server programs then process the requests to return the specified resources 
(assuming they are currently available). A standard naming convention has 
been adopted, known as a Uniform Resource Locator ("URL").' This 
convention encompasses several types of location names, presently including 
subclasses such as Hypertext Transport Protocol ("http"). File Transport 
20 Protocol ("ftp"), gopher, and Wide Area Information Service ("WAIS"). 
When a resource is downloaded, it may include the URLs of additional 
resources. Thus, the user of the client can easily learn of the existence of new 
resources that he or she had not specifically requested. 

The various resources accessible via the WWW are created and 
maintained by many different people on computers around the world, with no 
centralized control of content. As particular types of information or images 
contained in this uncontrolled information collection may not be suitable for 
certain users, it may be desirable to selectively restrict access to WWW 
resources. For example, parents or school teachers might wish to have children 
access useful information, but not obscene material (which the children may be 
exposed to as a result of innocent exploration of the WWW, or through the 
incidental downloading of a URL). Another example is the case of school 
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teachers who would like their students to access just a particular group of 
resources during a class meeting. A third example is businesses that would like 
their employees to access only work-related resources, but not to spend their 
time on other WWW explorations. In general, a particular user might need to 
5 be restricted to different resources at different times, as in the case of a student 
restricted to different sets of resources during classes on different subjects. 

Some authorities such as schools ask the users to abide by a 
policy statement by which they agree to restrict their exploration of the WWW, 
for example, by agreeing not to download obscene material. However, 
10 voluntary compliance with such a policy will not prevent the accidental 
downloading of resources that are not readily identifiable as forbidden or 
inappropriate prior to downloading and viewing. 

Naturally, technical solutions such as "firewalls'' are also 
available to limit or impede access to the WWW and Internet. These firewalls 
15 are software-based gateways that are commonly installed to protect computers 
on a local area network ("LAN") from being attacked by outsiders. One effect 
of installing a firewall is that WWW clients can no longer directly contact 
WWW servers, typically, this proves too restrictive, and users resort to "proxy 
servers" that are direcdy contacted by WWW clients. These proxy servers have 
20 special abilities to forward requests through the firewall, and thereby provide 
communication to and from servers on the Internet. For efficiency, a proxy 
server may also cache some resources locally. Current clients and proxy 
servers yield access to every public resource in the WWW. - They are not 
configured to allow a particular user to request some resources, while 
25 preventing access by that user to other resources. 

Some "filtering" of the available WWW resources may be 
effected within systems that offer indirect access. In these systems an 
information provider would download resources from the WWW and maintain 
copies of the resources. Users would access these copies. The information 
30 provider can review the resources as they are obtained from the WWW, and 
edit out any inappropriate or obscene material prior to making the resource 
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available to users. A disadvantage of this scheme is that the material provided 
by the information provider may be out-of-date compared to the original 
resource on the WWW. 

In an alternate scheme of "filtered" access to WWW resources, a 
5 proxy server provides a user with a menu of allowed resources that may be 
accessed, and users can obtain any resources that can be reached by a series of 
links from the menu resources. The user is only permitted to request URLs via 
this menu. This particular method has two disadvantages. First, many 
resources must be excluded from the menu because they contain links to 
10 inappropriate material, even though they themselves might be acceptable. 

Second, a resource may change over time to include new links that might lead 
to inappropriate material, and thereby provide a user with an unintended 
pathway of access to such. 

In still another method of "filtered" access to WWW resources, 
1 5 the client or proxy server checks each resource for a list of disallowed words 
" (i.e.; obscenities; sexual terms, etc.) and shows the user only those resources 
that are free of these words. However, this method does not permit filtering of 
images and does not prohibit resources that might be inappropriate due to 
content other than specific words. 
20 Yet another means of protecting users from inappropriate or 

obscene materials has been established by the computer and video game 
manufacturers. The games are voluntarily rated on the dimensions of violence, 
nudity/sex, and language. Although such conventions have not yet been 
adopted in the WWW, the analog would be to add such ratings to WWW 
25 resources, presumably with digital signatures to prevent forgery. A WWW 

client could then, if so programmed, choose not to save or display any resource 
that is unrated or has an unacceptable rating for the given audience. The 
disadvantage of this scheme is the need to convince the many people who 
provide useful servers (often on a non-professional or pro bono basis) to 
30 coordinate with a rating panel. 
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All of the present systems for limiting user access to an 
uncontrolled public database resources, such as those available on the WWW, 
have obvious shortcomings. Presently, there exists no simple means for an 
authority (i.e.; teacher, supervisor, system administrator, etc.) to selectively 
5 control WWW access by one or more users, without significantly impairing the 
users' ability to communicate with the Internet. 



Summary nf the Invention 

The present invention overcomes the deficiencies of prior 
10 schemes for selectively controlling database access by providing a system and 
method that allows a network administrator or manager to restrict specific 
system users from accessing information from certain public or otherwise 
uncontrolled databases (i.e., the WWW and the Internet). The invention 
employs a relational database to determine access rights, and this database may 
15 be readily updated and modified by an administrator. Within this relational 
database specific resource identifiers (i.e., URLs) are classified as being in a 
particular access group. The relational database is arranged so that for each 
user of the system a request for a particular resource will only be passed on 
from the local network to a server providing a link to the public/uncontrolled 
20 database if the resource identifier is in an access group for which the user has 
been assigned specific permissions by an administrator. In one preferred 
embodiment, the invention is implemented as part of a proxy server within the 
user's local network. 



25 Brief Description Of The Drawing 
In the drawing: 

FIG. 1 is a simplified diagram of an exemplary system 
embodying the invention; and 

FIG. 2 is a simplified diagram depicting an alternate arrangement 
30 of the system of FIG. 1 facilitating the recognition of user/user terminal classes. 
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TMailffl p~fr"P ri "" nf Thfc Invention 

FIG. 1 is a simplified diagram of an exemplary system 
embodying the invention. As shown, the system includes public network 100, 
5 network resources 101-105, and user site 106. Particular users at user site 106 
gain access to public network 100 via user terminals 107, 108 and 109. Each of 
these user terminals is linked by local area network ("LAN") 110 to processor 
111 within proxy server 112. Finally, proxy server 112 provides a connection 
from processor 111 to public network 100 via firewall 113. 
, 0 Requests from user terminals 107-109 for access to network 

resources (101-105) through public network 100 are submitted to processor 111 
within proxy server 1 12. In this particular embodiment of the invention, the 
submitted requests are assumed to be in the form of URLs. As is well known in 
the art, when URLs are submitted to a proxy server, the particular requesting 
15 user terminal is identified to the proxy server by an identification header 

attached to the URL. For the system shown in FIG. 1, the identification code 
for user terminal 107 is JD m , the identification code for user terminal 108 is 
IDios, and the identification code for user terminal 109 is ID 109 . In addition, 
within the system of FIG. 1, URLs designated as URL, 0 i, URLhq. URL103, 
20 URL104 and URL 10J , represent requests for information from network resources 
101, 102, 103, 104 and 105, respectively. 

Upon receipt of an incoming URL, processor 1 1 1 is programmed 
to determine the identity of the requesting user terminal from the URL header. 
This identification information is then utilized by processor 1 1 1 to cross- 
25 reference the received URL with information stored in relational database 1 14. 
Relational database 114 contains a listing of user terminal identification codes 
(ID, 07 , ID 108 . . . ID 109 ), each of which is associated with one or more URL 
designations. This relational listing specifies the particular URLs that may be 
transmitted from a given user terminal to access network resources. As shown, 
30 the allowable URLs for user terminal 107 are URL, 0 i, URL t02 and URL, 05 ; the 
allowable URLs for user terminal 108 are URL 102 and URLic*; and the 
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allowable URLs for user terminal 109 are URL| 0 i, URL 102 , URL 103 , URL 104 
and URL J05 . The information stored in relational database 114 would be under 
the control of some resident authority at user site 106 (i.e.; a system 
administrator, or site supervisor empowered to make determinations as to the 

5 various URLs that can be accessed from a given user terminal). 

Within the system of FIG. 1, when a requesting user terminal 
transmits a URL associated with that particular terminal's identification code 
within relational database 114 to processor 111, the request for information 
represented by that URL is sent to public network 100. For example, upon 

io receipt of a URL from user terminal 107 requesting information from network 
resource 102, processor 111 would access relational database 114, and thereby 
determine that URL 10 2 was indeed an allowable request. Following this 
determination, processor 111 would forward URL^ to public network 100 via 
firewall 113. Contrastingly, if a URL that is not associated with the requesting 

15 terminal identification code within relational database 114 is received by 

processor 111, that request for information is denied. For instance, if URL^ 
is received by processor 111 from user terminal 107, relational database 114 is 
accessed. Since URL 104 is not one of the URLs associated with user terminal 
identification code ID107 within relational database 114, processor 111 denies 

20 the request for information, and no URL is sent to public network 100. 

In the particular embodiment described above, relational database 
1 14 stores a list of user terminal identification codes and the various URLs that 
each user terminal should be allowed to transmit to public network 100. It will 
be understood that the invention could be modified so that the list of associated 

25 URLs associated with a given user terminal identification code serves as a list of 
URLs that that particular user terminal is not permitted to contact. This 
restrictive listing functionality could be readily facilitated by reprogramming 
processor 111. In addition, the invention could be modified so that the 
identification codes recognized by processor 111 and stored in relational 

30 database 114 are user specific, as opposed to user terminal specific. In other 
words, the system of FIG. 1 could be modified so that a particular individual 



WO 97/15008 



7 



PCT/US96/09510 



using a terminal is identified to the system by a personal password or other 
identifying code. Access or denial of the transmission of particular URLs is 
effected by the system as a function of that person's identity, regardless of the 
particular user tenninal they may be utilizing. 
5 The processor and relational database within the proxy server of 

the invention could also be modified to recognize classes of users and/or user 
terminals. There could be any number of user tenninals or users with a given 
class accessing the proxy server at a particular user site. When any of the user 
terminals or users within a given class transmits a URL to the proxy server, the 
i o processor within the proxy server accesses the relational database and determine 
if the specific URL represents an allowable request for a user/user tenninal in 
the identified class. FIG. 2 shows an alternate embodiment of the invention, 
which is similar to the system illustrated in 

FIG. 1, that facilitates the recognition of user/user tenninal classes. As shown, 
15 the system of FIG. 2 includes public network 200, network resources 201-205, 
" user tenninals 207-210. LAN 211, processor 212, proxy server 213, and 

firewall 214. The operation of the system of FIG. 2 is substantially similar to 
that of FIG. 1, however, two of the user terminals, 207 and 208, are grouped in 
a single class. This grouping is reflected in the configuration of relational 
20 database 215. Within relational database 215 the identification code K> 2mnos for 
relates to both user terminal 207 and user tenninal 208. When a URL from 
either user terminal 207 or 208 is received at processor 212, the same listing of 
associated URLs is accessed. - Both of these terminals are granted or denied 
access to the same group of URLs (URL IO t, URL, 02 and URL l05 )- 
25 The relational database utilized in systems facilitating the 

invention could also be configured so that information indicative of allowable 
resource access is arranged to conform to resources that are configured in a tree 
structure format. The relational database would include a listing of directory 
and/or subdirectory identifiers that a particular user or user group would be 
30 granted or denied access to. For example, such a system could be implemented 
for requests formulated as a set of strings by means of grouping conventions 
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such as parentheses together with special symbols for operations such as 
repetition and union; regular expressions are well known to people skilled in the 
art. A regular expression rule consists of a regular expression together with a 
specification of inclusion or exclusion for one or more users/user terminals. 
5 Standard techniques for determining whether a string of symbols matches a 
regular expression can be applied to determine whether a particular URL 
matches a regular expression; such techniques are familiar to those skilled in the 
art. 

More generally, the URL http://ourschool.edu/history/* is a 

io regular expression that specifies all resources within the directory 

http://ourschool.edu/history or its tree of subdirectories (a resource containing 
information relevant to a particular school's history course). In this case, a 
notation for regular expressions is employed that is typical of UNIX shell 
languages, wherein "*" represents any string of symbols, including the empty 

15 string. The URL http://ourschool.edu/subject/*answer* specifies any resources 
within the directory http://ourschool.edu/subject (or its tree of subdirectories) 
that contain "answer" in their names. Access to the "answer" resources would 
most likely be restricted to instructors (i.e., students would not be able to view 
the answers). In order to specify that students be allowed to view "history" 

20 resources, but excluded from "history answer" resources, the relational 
database would store the following with expression rules that would be 
associated with student identification codes: 

+ http://ourschool.edu/history/* 

- http://ourschool.edu/history/*answer* 

25 The notation " + " indicates a grant of access to a resource, and the "-" 
indicates a restriction. 

Yet another modification of the invention would permit the 
system to accept requests from users/user terminals that are in a format other 
than a URL. The relational database would merely have to be modified to store 

30 sets of information indicative of the particular type of request format being 
employed, and associated with a particular user class. 
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It will be understood that the particular system and method 
described above is only illustrative of the principles of the present invention, 
and that various modifications could be made by those skilled in the art without 
departing from the scope and spirit of the present invention, which is limited 
5 only by the claims that follow. 
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Claims: 

1. A system for selectively controlling network access to one 
or more resources, comprising: 

a relational database containing a stored listing of user 
5 identification codes and resource identifiers, wherein each of said resource 
identifiers corresponds to one or more resources accessible via network, and 
said stored listing associates each of said user identification codes with one or 
more of said resource identifiers; 

a processor adapted to receive a request for network access to 
10 one or more particular network resources, said request including a user 

identification code, said processor being further adapted to query said relational 
database, and execute said request for network access to said one or more 
particular network resources a function of said stored listing being indicative of 
an association between said received user identification code and at least one 
15 resource identifier corresponding to said one or more particular network 
resources. 

2. The invention of claim 1 wherein said processor is 
programmed to execute said request for access if said stored listing shows said 
received user identification code to be associated with at least one resource 

20 identifier corresponding to said one or more particular network resources. 

3. The invention of claim 1 wherein said processor is 
programmed to deny execution of said request for access if said stored listing 
shows said received user identification code to be associated with at least one 
resource identifier corresponding to said one or more particular network 

25 resources. 

4. The invention of claim 1 wherein said processor is 
contained within a network proxy server. 

5. The invention of claim 1 wherein access to said one or 
more particular network resources is effected via a public network. 
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6. The invention of claim 1 wherein each of said user 
identification codes identifies one or more terminals adapted for facilitating 
network access to one or more particular network resources. 

7. The invention of claim 1 wherein each of said user 

5 identification codes identifies one or more individuals authorized to access one 
or more particular network resources. 

8. The invention of claim 1 wherein each of said resource 
identifiers corresponds to one or more uniform resource locators for accessing 
one or more particular network resources. 

10 9, A method for selectively controlling network access to 

one or more particular resources, comprising the steps of: 

receiving a request for access to one or more particular network 
resources, wherein said request includes a user identification code and at least 
one resource identifier; 

15 comparing said received request for access to a relational 

database containing a stored listing of user identification codes and resource 
identifiers, wherein each of said resource identifiers corresponds to one or more 
resources accessible via a network, and said stored listing associates each of 
said user identification codes with one or more of said resource identifiers; 

20 executing said request for network access to said one or more 

particular network resources a function of said stored listing being indicative of 
an association between said received user identification code and at least one 
resource identifier corresponding to said one or more particular network 
resources. 

25 10. The method of claim 9 wherein the execution of said 

request for access is performed if said stored listing shows said received user 
identification code to be associated with at least one resource identifier 
corresponding to said one or more particular network resources. 
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11. The method of claim 9 wherein the execution of said 
request for access is denied if said stored listing shows said received user 
identification code to be associated with at least one resource identifier 
corresponding to said one or more particular network resources. 
5 12. The method of claim 9 wherein said network access to 

said one or more particular resources is effected via public network. 

13. The method of claim 9 wherein each of said user 
identification codes identifies one or more terminals adapted for facilitating 
network access to one or more particular network resources. 
10 14. The method of claim 9 wherein each of said user 

identification codes identifies one or more individuals authorized to access one 
or more particular network resources. 

IS. The method of claim 9 wherein each of said resource 
identifiers corresponds to one or more uniform resource locators for accessing 
15 said one or more particular network resources. 
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